Making Privacy Operational

Introduction to the Privacy

Management Reference Model

John Sabo
Director, Global Government relations
CA, Inc. and President, ISTPA
john.t.sabo@ca.com

Michael Willett
President, WillettWorks Technology
and Board member, ISTPA
mwillett@nc.rr.com
John Sabo is Director, Global Government Relations for CA, Inc., serves as an
industry expert in the use of security and privacy technologies in trusted
infrastructures.

He is as an appointed member of the Department of Homeland Security’s Data

Privacy and Integrity Advisory Committee, and is a past member of National
Institute of Standards and Technology Information Security and Privacy
Advisory Board (ISPAB). He is a board member and President of the non-profit
International Security Trust and Privacy Alliance (ISTPA) and is a member of
the OASIS IDtrust Member Section Steering Committee.

John is active in information sharing, cyber-security and critical infrastructure

protection committees and organizations. He is a board member and past
President of the Information Technology-Information Sharing and Analysis
Center (IT-ISAC); member of the IT-Sector Coordinating Council; and
Immediate Past Chair of the ISAC Council.
Dr. Michael Willett received his BS degree from the US Air Force Academy
(Top Secret clearance) and his Masters and PhD in mathematics from NC State
University. After a career as a university professor of mathematics and
computer science, Dr. Willett joined IBM as a design architect, moving into
IBM's Cryptography Competency Center. Later, Dr. Willett joined Fiderus, a
security and privacy consulting practice, subsequently accepting a position with
Wave Systems. Recently, Dr. Willett was a Senior Director in Seagate Research,
focusing on security functionality on hard drives, including self-encryption,
related standardization, product rollout, patent development, and partner
liaison. Currently, Dr. Willett provides consultation for marketing storage-based
security. Dr. Willett also chairs the Privacy Management Reference Model
Project of the ISTPA, which developed an operational reference model for
implementing privacy requirements.
 Webinar Objectives
 Introduce the Privacy Management Reference Model
(PMRM) and proposed OASIS Technical Committee
 Generate interest from Privacy & Security WG and
Standards Committee members to make use of the PMRM
and contribute to the new TC
 companies, agencies and individuals to support the TC

as “proposers”
 current OASIS members and new members

 use-case development

 email discussion group has been established, open to

both OASIS and non-OASIS members: To join, send a

note to:
privacymgmt-discuss-subscribe@lists.oasis-open.org
OASIS Overview:
 OASIS (Organization for the Advancement of Structured
Information Standards) is a not-for-profit consortium that
drives the development, convergence and adoption of open
standards for the global information society. Founded in
1993, OASIS has more than 6,000 participants
representing over 700 organizations and individual
members in 100 countries.
 OASIS is distinguished by its transparent governance and
operating procedures. Members themselves set the OASIS
technical agenda, using a lightweight process expressly
designed to promote industry consensus and unite
disparate efforts.
 The Privacy Management Reference Model Technical
Committee (TC) will fall under the OASIS Identity and
Trusted Infrastructure Member Section, http://www.oasis-
idtrust.org/, along with several other security TCs.
 OASIS contact - dee.schur@oasis-open.org
 Why a
Privacy Management
Reference Model is Needed
John Sabo
Complex Privacy Landscape
 The Privacy Act of 1974 (U.S.)
 Council of Europe Convention 108
 OECD Privacy Guidelines
 UN Guidelines Concerning Personalized Computer Files
 Hong Kong Personal Data (Privacy) Ordinance
 EU Data Protection Directive 95/46/EC
 Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule
 Canadian Standards Association Model Code (incorporated in the Personal
Information Protection and Electronic Documents Act [PIPEDA])
 International Labour Organization (ILO) Code of Practice on the Protection of
Workers’ Personal Data
 US FTC statement of Fair Information Practice Principles
 US-EU Safe Harbor Privacy Principles
 Ontario Privacy Diagnostic Tool
 Australian Privacy Act – National Privacy Principles
 California Senate Bill 1386, “Security Breach Notification”
 AICPA/CICA Privacy Framework
 Japan Personal Information Protection Act
 APEC (Asia-Pacific Economic Cooperation) Privacy Framework
 Global Privacy Principles/Practices
- similarities…but no Standardization

OECD Guidelines –
1980
 Collection Australian Privacy
Limitation Principles – 2001 APEC Privacy
 Data Quality  Collection Framework – 2005
 Use and  Preventing Harm
Purpose Disclosure Notice


Specification Data Quality
  Collection Limitation
 Use Limitation  Data Security  Uses of Personal
 Security  Openness Information
Safeguards  Access and  Choice
Correction Integrity of Personal
Openness 
Information

 Identifiers
 Individual  Anonymity  Security Safeguard
Participation  Trans-border  Access and Correction
 Accountability Data Flows  Accountability
 Sensitive
Information

Copyright © 1999-2010 International Security Trust and Privacy Alliance (ISTPA)

Commonality Among Disparate
Principles/Practices

 Accountability  Data Quality

 Notice  Enforcement
 Consent  Openness
 Collection Limitation
 Use Limitation
 Disclosure •Anonymity
 Access & Correction •Data Flow
 Security/Safeguards •Sensitivity

from ISTPA “Analysis of Privacy Principles: An Operational

Study” (2007)
Security: Critical to Privacy

 Fundamental Security Services

 Confidentiality
 Data Integrity
 Availability
 Examples of Standards
 AES
 SAML 2.0
 PCI-DSS
 ISO 27001/2
 Rich and Mature Discipline – Cryptography, Controls…
 Many Mechanisms/Technologies/Solutions/Products
Key Security Mechanisms Supporting
Privacy…
 Identity Lifecycle Management and Compliance
 critical to privacy – the correct people should have access to the correct
information in a well defined identity system utilizing appropriate role model
policies
 Web access management, federation, Service Oriented Architecture
security
 Trust among multiple entities to facilitate controlled sharing of information –
strengthens security in complex infrastructures
 Resource Protection
 Privileged users are high risk and must be controlled and monitored
 Data Protection
 Data (at rest, in motion) must be monitored for improper leakage
 Log management
 provides the ability to watch what is happening -monitoring is key to
maintaining privacy
 …used in a Compliance Infrastructure for
Security
Multiple and distinct resources controlled and managed, providing common model
of roles, policies

Help Desk Identity Information Privileged

Access Auditing/
Lifecycle Protection & User
Management Reporting
Management Control Management
HR System

Common roles, policies, reporting, workflow

Directory Enterprise and Federated Infrastructure Event

Logs

Information Platform Applications

Content Repositories Systems Web
Files System Services ERP
Data in transit Mainframes CRM
System files Custom
Critical Privacy Drivers and Issues --
and no Equivalent Management/Compliance Model
 Networks and the PI Lifecycle
 Digitally-based personal information is networked and boundless

 Principles/Legislation/Policies
 Security and Privacy Integration expected
 Compliance - and increased international attention from regulators

 Operational privacy management standards

 Technical standards and architectures for privacy management not
yet available

 Relentless Adoption of New Business Models and Infrastructures

 Social networking
 Ubiquitous networked devices
 E-Government
 Cloud Computing
 Smart Grid
 Health IT
Privacy Management
Challenges:
Cloud Computing
World Economic Forum 2009 Study
on Cloud Computing..Deployment

 Economic Benefits • But…Major Barriers

• Entrepreneurship; create • Privacy (63%)
new businesses, jobs
• Data governance
• Platform for innovation;

accelerate innovation (e.g. data

• Increase IT efficiency and
ownership, cross-
IT flexibility border data transfer,
• Business/technology etc. (56%)
leapfrogging opportunities • Security (50%)
in developing countries
•

Source: The World Economic Forum - Used with Permission

Privacy Management
Challenges:
Smart Grid
 Smart Grid – Sample Components with
Privacy Implications

 Digital information and controls technology

 Dynamic optimization of grid operations and resources with cyber-
security
 Deployment of `smart' technologies that optimize the physical
operation of appliances and consumer devices
 for metering, communications concerning grid operations and
status, and distribution automation
 Integration of `smart' appliances and consumer devices
 Provision to consumers of timely information and control options
 Two-way communications
 See www.nist.gov/smartgrid

17 (Source: Energy Independence and Security Act of 2007)

 NIST Smart Grid Conceptual Model

18 Source: 27 NIST Framework and Roadmap for Smart Grid Interoperability Standards, Release 1.0
Privacy Management
Challenges:
Networked Health IT
 Business Intelligence

Health Information Exchange Functional and Roles Diagram

Addressing Lifecycle Privacy Management
ISTPA

 The International Security, Trust and Privacy

Alliance (ISTPA), founded in 1999, is a global alliance of
companies, institutions and technology providers
working together to clarify and resolve existing and
evolving issues related to security, trust, and privacy

 ISTPA’s focus is on the protection and management

of personal information (PI) – www.istpa.org

Copyright © 1999-2010 International Security Trust and Privacy Alliance (ISTPA)

 ISTPA’s Perspective on Privacy
 Operational, Technical, Architectural Focus
 Based on legal, policy and business process/control drivers
 Privacy management with support for lifecycle requirements
 “Reference Model” for system designers

 “Analysis of Privacy Principles: An Operational Study” (2007)

 14 Composite Principles derived from 12 international instruments

 Privacy Management Reference Model V2.0 (2009)

 Major revision of Privacy Framework v1.1 (2002)
 Supports the full “lifecycle” of Personal Information
 Converts privacy requirements to operational Services

Copyright © 1999-2010 International Security Trust and Privacy Alliance (ISTPA)

 Managing Networked-Interactive Data Flows

Requestors/Users ..n …
Requestors/Users Time

PI

PI
•Non-sequential
Individual •Data subject impacted
PI
directly and indirectly
after initial data
collection

PI
Business Application 1, 2… n
Processor/Aggregator 1, 2…n

PI Life Cycle Perspective

Challenge:

Making the New Reference

Model PI and Policy–Centric

PI and Policies

Copyright © 1999-2010 International Security Trust and Privacy Alliance (ISTPA)

Managing Multiple Policy
Instances

PI and Policies

PI and Policies

PI and Policies

Copyright © 1999-2010 International Security Trust and Privacy Alliance (ISTPA)

“PI” as Objects - Policies as Objects…

PI Objects

PI Policy Objects

System Design perspective

Copyright © 1999-2010 International Security Trust and Privacy Alliance (ISTPA)

… Managed in Networked “Lifecycle” Context

Aggregation
PI Use And
Linkages

PI Objects

PI Collection PI Use
Policy Objects

PI Use

System Design perspective

Copyright © 1999-2010 International Security Trust and Privacy Alliance (ISTPA)
...with integrated Security Services

Aggregation
PI Use And
Linkages
PI Objects

PI Policy Objects

•Identity Lifecycle
PI Collection •Access PI Use
•Federation
•Data resource protection
•Audit
•Encryption…etc.

PI Use

System Design perspective

Copyright © 1999-2010 International Security Trust and Privacy Alliance (ISTPA)
…only a standards-based,
structured model will enable us to
implement, manage and ensure
compliance with privacy policies
and security in existing and
emerging infrastructures
…such as smart grid and health IT
environments…
 Smart Grid Health IT

Supported by…

??????

Privacy Management and

Security Management and Compliance Infrastructure
Compliance Infrastructure
Toward Operational
Privacy Management
Michael Willett
 Privacy Standardization Efforts
• W3C - P3P 1.1 Platform for Privacy Preferences
Grammar for expressing privacy preferences

• CEN/ISSS Data Protection and Privacy Workshop 2008-2009

Work Programme
Best practices management system guide; privacy audit tools

• ISO 29100 (privacy framework)

•ISO 29190 (privacy capability assessment framework)
•ISO 29101 (privacy reference architecture)

• OASIS Cross-Enterprise Security and Privacy Authorization

(XSPA) Technical Committee
Exchange privacy policies, consent directives, and authorizations
within/between healthcare organizations
 What else is missing?
ANSWER: A LOT!
 Operational view: information privacy is the assured,
proper, and consistent collection, processing,
communication, use and disposition of personal
information (PI) throughout its life cycle
 consistent with data protection principles, policy requirements, and the
preferences of the individual
 Proper and consistent apply throughout the PI life cycle
 apply to all actors, systems, and networks that “touch” the information

Need an abstract model enabling

full life cycle privacy management
Copyright © 1999-2010 International Security Trust and Privacy Alliance (ISTPA)
 “Framework” (2002) to “Reference Model” (2009)

 From a policy perspective, ISTPA received pushback on use of the term

“framework” in 2002 document

 Framework v1.1 services were validated, but lacked reference to networked,

asynchronous lifecycle

 Need to support use cases where PI is disassociated from the data collector
and the individual’s control
 Information life cycle beyond the collector
 Policy changes in the future

 Improved understanding of Service-to-Service relationships; formalized

syntax for modeling/simulation

 Tested against composite privacy principles derived globally

Copyright © 1999-2010 International Security Trust and Privacy Alliance (ISTPA)

Privacy Management Reference Model Services

 Core Policy Services

 Agreement- agreements, options, permissions
 Control – policies – data management
 Presentation and Lifecycle Services
 Interaction - manages data/preferences/notice
 Agent - software that carries out processes
 Usage - data use, aggregation, anonymization
 Access - individual review/updates to PI
 Privacy Assurance Services
 Certification - credentials, trusted processes
 Audit - independent, verifiable accountability
 Validation - checks accuracy of PI
 Enforcement - including redress for violations

Copyright © 1999-2010 International Security Trust and Privacy Alliance (ISTPA)

Copyright © 1999-2010 International Security Trust and Privacy Alliance (ISTPA)
 Making Privacy Operational
PI Touch Point

Interaction - Each Touch Point node

Access configured with operational
Agreement
stack
Control Usage - Privacy Policy is an input
“parameter” to Control
PI
PI, Preferences Container - Agent is the Touch Point
& PIC Repository (PIC) programming persona
Agent -PIC contains PI and usage
agreements
Assurance Services
Validation Certification Audit Enforcement

Security Foundation
Legal, Regulatory, and Policy Context
Copyright © 1999-2010 International Security Trust and Privacy Alliance (ISTPA)
 Privacy SERVICES
Any two touch points in the PI life cycle

Interaction Interaction
Agreement Access Agreement
Control Usage Control Usage

PI
PI, Preferences Container PIC Repository
& PIC Repository (PIC)
Agent Agent
Assurance Services
Validation Certification Audit Enforcement

Security Foundation
Legal, Regulatory, and Policy Context
Copyright © 1999-2010 International Security Trust and Privacy Alliance (ISTPA)
 Simple Use Case
Employer application like Payroll that requests certain PI
from an employee…

Employee Payroll
Payroll AGENT and INTERACTION: a NOTICE of the
purpose/use of requested PI is presented to the Employee. The
PI, together with the permissible purpose/use, is stored in the PI
database by CONTROL and transferred to Payroll, where the PI
is submitted for VALIDATION and stored in the PI database by
CONTROL.
Employee Payroll

NOTICE

PIC

PI PI
 Managing Networked-Interactive Data Flows

Requestors/Users ..n …
Requestors/Users Time

PI

PI

Individual PI

PI
Business Application 1, 2… n
Processor/Aggregator 1, 2…n

PI Life Cycle: PMRM per Touch Point

Syntax for each Service: Functions
 DEFINE [SVC] operational requirements
 SELECT [SVC] (input, process, and output) data and parameters
 INPUT [SVC] data and parameter values in accordance with
Select
 PROCESS [SVC] data and parameter values within Functions
 OUTPUT [SVC] data, parameter values, and actions
 LINK [SVC] to other (named) Services
 SECURE [SVC] with the appropriate security functions

•Each USE CASE invokes a sequence of Service “calls”

•Each Service call executes a sequence of

Functions (drawn from these seven Functions)

TWO EXAMPLES
Copyright © 1999-2010 International Security Trust and Privacy Alliance (ISTPA)
 Agreement
The Agreement Service provides information to individuals regarding
what PI is collected, for what purposes it will be used,
other policies and options associated with the collection and use,
and can result in consent, denial or an agreement among the parties.
The Agreement Service also enables any set of parties (individuals,
processing entities) to define agreements related to policies,
use and disposition associated with the PI at points throughout the PI
lifecycle.

Control
The Control Service encompasses the functions that work together
to ensure that PI governed by fair information practices/principles
is managed in accordance with prescribed privacy policies and controls.
These functions are established, maintained and manipulated by a
processing entity.
 Example: Agreement Functions

DEFINE Agreement requirements

Establish objectives and scope for the Agreement
service

SELECT Agreement parameters for Input,

Process, and Output

INPUT Agreement of PI definition

INPUT Agreement for additional permissions

Exchange initial
PROCESS Agreement parameters
parameters related
to a potential PROCESS Agreement exchange
agreement between PROCESS Agreement interchange
parties

Copyright © 1999-2010 International Security Trust and Privacy Alliance (ISTPA)

… Example: Agreement Functions

OUTPUT Agreement results

Output the consent, denial or an agreement
among the parties

LINK Agreement to another Service

Connect Agreement with another Service and
pass outputs and other parameters between
Agreement and that Service, as appropriate

SECURE Agreement
Invoke security controls in support of
Agreement functions, as appropriate

Copyright © 1999-2010 International Security Trust and Privacy Alliance (ISTPA)

(Another) Example: Control Functions

DEFINE Control requirements

Establish objectives/scope; document rules and
standards

SELECT Control parameters for Input, Process,

and Output

INPUT Control association to PI usage

INPUT Control rules from Policy

PROCESS Control configuration

PROCESS Control management
PROCESS Control of PI input/output

Copyright © 1999-2010 International Security Trust and Privacy Alliance (ISTPA)

… Example: Control Functions

OUTPUT Control interaction with internal

parties or systems
OUTPUT Control interaction with external
parties or systems

LINK Control to another Service

Connect Control with another Service and
pass outputs and other parameters between
Control and that Service, as appropriate

SECURE Control
Invoke security controls in support of Control
functions, as appropriate

Copyright © 1999-2010 International Security Trust and Privacy Alliance (ISTPA)

 Operational
Privacy and
Security
Controls

Supporting
Privacy
Privacy and
Principles and
Security
Practices
Architecture

Privacy Principles
to
Selection of Privacy Laws
Security Privacy Implementation and Policies
Services and
Functions
Privacy Management
Reference Model

Selection of
Reference Privacy
Model Services Requirements
and Functions
Where Does the Reference Model Fit?

Privacy Management Reference Model

Copyright © 1999-2010 International Security Trust and Privacy Alliance (ISTPA)
 Next Steps
 Proposing an OASIS Privacy Management Reference Model (PMRM)
Technical Committee

 Soliciting initial “proposers” (e.g., ISTPA, NIST, ABA, CA, others)

 Drafting the TC Charter
 Planning the first TC meeting (probably in Washington, DC)

 Looking for partners to host workshops to test the Reference Model

against use cases and privacy scenarios

 TC Objectives: Formally develop the PMRM, define functions, develop

relevant use cases, identify business process and technical
mechanisms to support the PMRM and establish the PMRM as an
industry standard

 Smart Grid Coordination with OASIS Blue Member Section

 Work with the Health I.T. community on relevant Use Cases

Copyright © 1999-2010 International Security Trust and Privacy Alliance (ISTPA)
 Questions?
John Sabo
john.t.sabo@ca.com

Michael Willett
mwillett@nc.rr.com

Dee Schur (OASIS)

dee.schur@oasis-open.org

PMRM available at www.istpa.org